Vendor Management: Shared Assessments Program Updated for Oct. DebutNew Tools Aimed at Streamlining Process for Institutions, Vendors
The Shared Assessments Program, formerly known as the Financial Institution Shared Assessments Program (FISAP), is promoted by BITS (www.bitsinfo.org), a division of the Financial Services Roundtable (www.fsround.org), and is aimed at giving financial institutions a common tool for evaluating security controls of third-party service providers. Launched in 2006, the program in October will debut version 4 of its key tools -- the Agreed Upon Procedures (AUP) and the Standardized Information Gathering questionnaire (SIG) - a development intended to make the process more intuitive for institutions.
Also in Oct., BITS is expected to release the results of its latest user survey -- now open to participation -- to assess how financial institutions are using the Shared Assessments Program and incorporating it into their vendor management programs.
Although the Shared Assessments Program in the past has been criticized for the sheer volume of questions in the SIG, a shorter version - "SIG lite" - has simplified the process, and proponents are hopeful that the newest iteration will emerge as the industry standard for institutions and vendors of all sizes.
Launched in Feb. 2006, the Shared Assessments Program now has more than 4,000 individuals representing 2,500 institutions downloading its questionnaire and procedure documents. Its users include some of the nation's largest financial institutions: Bank of America Corporation, The Bank of New York Mellon, Citi, JPMorgan Chase & Co., U.S. Bancorp, and Wells Fargo & Company. More than 50 financial institutions and major service providers participate through the Shared Assessments Working Group. The Big 4 accounting firms - Deloitte & Touche, Ernst & Young, KPMG and PricewaterhouseCoopers -- serve as technical advisors.
The program's guidelines can be used to evaluate an outsourcer's controls for access, asset classification, personnel security, physical and environmental security, communications, business continuity and regulatory compliance. The Shared Assessments Program's goal is to create consistent standards for use in evaluating the controls that outsourcing vendors use to protect sensitive data, says Michele Edson, Senior Vice President of the Santa Fe Group, a strategic partner and preferred provider to BITS. Since May 2005, BITS and their members have contracted with The Santa Fe Group to manage the Shared Assessments Program.
The program's two free documents, the AUP and the SIG, are available for download from the BITS website.
The Payoff for Institutions, Vendors
In a user survey conducted last fall, BITS asked all 4,000 individuals representing 2,500 institutions how they were using the downloaded tools. More than 50 percent of the respondents polled said they were using it and were prepared to leverage it in their vendor assessment programs.
Since then, regulatory agencies have only turned up the heat on vendor management, increasing their requirements for institutions to better select, secure and manage their key vendors.
Yet, even in this regulatory climate, getting institutions to agree on anything can be problematic, so it's impressive that 55 institutions currently have signed up for the program, says Eva Weber, Analyst at Aite Group, a research organization that focuses on the financial services industry. "The other question is just who those 55 institutions are in terms of size and market presence," Weber says. "Call this a glass half full, or maybe even three quarters - the industry is clearly taking the program seriously, and that's a pre-cursor to broader adoption."
Weber sees the compelling immediate elements as time and cost savings. "Institutions can streamline their compliance efforts and be more efficient because the issues have been clearly spelled out," she says.
The longer-term benefits hinge on broad adoption by institutions of all sizes. "Not only does this level of cooperation lower costs, it also produces a better result, as less time is spent on process and structure, and more time is spent on quality of the assessment, results and remediation," Weber says.
The Vendor's Perspective
Yodlee, a CA-based banking vendor, has embraced the program from its beginning. According to Timothy J. O'Brien, Senior Vice President of Operations and Information Security, Yodlee Incorporated, the BITS Shared Assessments Program is used as the key measurement of Yodlee's security level as compared against financial industry standards. This is also used as the key instrument in communicating a large volume of data to banks and other clients on the specifics of Yodlee's security. "When a company follows this program, the results provide specific data on technical architecture, data handling, policies and procedures, risks, and all other aspects to ensure sound operations for any business working in the financial sector," O'Brien says.
From O'Brien's perspective, there are two significant benefits to the Shared Assessments Program:
- The program is based on industry standards - security standards set by an independent body. "There are so many different security standards (ISO27002, PCI, COBIT, etc.) that it makes it difficult to pick one or two and be confident that this will cover all the needs of the business," says O'Brien.
- It reduces work hours in measuring and reporting one's security level. He says any company that does business in the financial sector, especially with clients who are a regulated entity, knows that these clients require a significant amount of information related to the security of consumer data. By utilizing the same standards, same processes and same tools, vendors and institutions alike can realize a significant reduction in repetitive work.
For Yodlee, the biggest success so far has been the acceptance by its clients (banks, brokerage firms, etc.). Yodlee was one of the initial firms in the BITS pilot that began in 2005. "This is a major milestone in that other companies recognize that the Shared Assessments Program includes stringent security standards equal to or better than all other standards," O'Brien says. A smaller milestone was realized just recently, when Yodlee was asked by a large financial institution to complete a security questionnaire or supply the Standardized Information Gathering ("SIG") from the Shared Assessments Program. "This saved numerous hours just on one request," he says.
Data storage giant Iron Mountain was also an early adopter and the first service provider in its industry to join the shared assessment program. The reason was clear, says Scott Brown, Program Manager for Iron Mountain's Financial Services group. "We saw it as an opportunity to join an effort that would help raise the bar for information security."
The initiative provides an industry standard for information security audits of vendors serving the financial services sector, and participation helps Iron Mountain respond quickly and efficiently to a growing number of client requests for these audits. From 2004 to 2007, says Brown, Iron Mountain experienced a 15-fold increase in unique client information security audits, which put a significant drain on the organization.
Today, Brown says more than 90% of current client information security audits are fulfilled by leveraging the Shared Assessment program - even outside the financial services industry. "Not only does the program save our company time and resources, but our customers also benefit by getting the information they need immediately," Brown says. "We've also been able to re-assign two full time employees to other strategic initiatives as a direct result of the program. We are particularly pleased with the evolution of the program in a way that responds to the dynamic regulatory environment."
An Institution's Perspective
The Depository Trust & Clearing Corporation (www.DTCC.com), is in a unique industry position of providing comprehensive clearing and settlement service to banking, brokerage and insurance firms, while also being a financial institution regulated by several federal agencies. So the BITS Shared Assessments Program satisfies multiple needs. (DTCC's depository provides custody and asset servicing for more than 3.5 million securities issues from the United States and 110 other countries and territories, valued at $40 trillion. Last year, DTCC settled more than $1.8 quadrillion in securities transactions.)
DTCC has a mature security program in place, so completing the SIG & AUP enabled it to provide a consistent set of artifacts to participants wishing to complete their service firm security assessment consistent with FFIEC guidelines. The internal costs of the Shared Assessments program are significantly less than fulfilling every unique request for the same information coming from multiple financial service firms.
The second major benefit of the Shared Assessments Program came from the integration with DTCC's vendor management program, where firms providing services to DTCC are categorized into one of three categories with specific requirements for each category supported by the Shared Assessments program. Again, DTCC reviews a consistent and emerging industry standard format for security assessment artifacts from vendors, and in this case the DTCC and the service vendors realize a significant savings in a more efficient compliance process with high quality artifacts. The internal costs for vendor security assessments has been reduced to less than 10% of last year's cost primarily through the use of the AUP as one of DTCC's requirements for service firms that have access to sensitive information. DTCC held a forum for its service vendors to introduce the requirements for service firms, including the Shared Assessments components. This has enabled faster adoption by firms.
Next Steps for Broader Acceptance
As the results of the Shared Assessments Program user survey being conducted this month are compiled, the program's depth of use and acceptance will have a new measure, says Edson. As the new version of the program's guidelines is released in October, Edson and the program's steering committee believe there will be more interest from institutions and vendors alike.
David Walter, Senior Product Manager from enterprise risk and compliance management vendor Archer Technologies, believes the program has a very bright future. "The adoption rate has already started to increase," Walter says. "The key will be to continue updating the questions to reflect current technology platforms and security risks so the questions do not become outdated."
Aite's Weber says the challenges ahead for the Shared Assessments Program are fairly typical for any situation where you're trying to get people to change their behavior. She encourages making sure the program has the right value proposition for all parties. "Communicating that value proposition effectively is critical," Weber says. And yet the program's champions have to be realistic: "With even the best, most broad approach there will still be significant customization," she says. You can't wish it away - you have to have a plan to leverage standardized content where that makes sense, and create highly customized content where that makes sense. The Shared Assessments Program does that by creating consensus around what the key issues are and how they need to be addressed."